Image viewer dialog window

To enhance your privacy when using Android devices, we recently introduced privacy mode in Opera Max. Some of you asked how Opera Max classifies requests from apps you are using into three different risk levels. What do they mean?

First, a quick overview of how Opera Max’s privacy mode works:

After you press the button to turn on privacy mode, Opera Max uses the Android VPN API to capture both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic and send it to the Opera Max client.

After going through a local client-side routing component in Opera Max, the traffic is securely proxied to Opera data centers. Opera Max has data centers in two locations in the USA, one in the Netherlands and one in Singapore. We are also testing some nodes in Japan and India as possible next steps. All of our data collection is governed by Opera Max’s privacy policy and is subject to Norwegian privacy rules and regulations.

HTTP/HTTPS and other types of TCP data is carried over a SPDY-like with TLS encryption connection. We also separately send DNS look-ups (UDP) over DTLS (datagram over TLS) connection to Opera data centers for remote DNS resolution.

Once the data arrives on the server side, requests are checked against a server-side- maintained list of known URLs and top level domains that are only used for tracking and profiling users. We are currently using EasyPrivacy List, a leading community-created privacy list, as the core of the list of third-party tracking domains, plus a small number of additional tracking domains we have found elsewhere, such as domains that ADUPS uses. If there is a match, those requests are either duly blocked or are let through with cookies and tracking HTTP headers stripped. In the near future, we hope to create the largest and most up-to-date mobile privacy list available.

Statistics on these network requests are presented to the user inside Opera Max’s privacy timeline UI. We show request counts and classify the requests into three risk levels.

Second, we want to share the two main techniques we observed in computer science literature and papers on the topic of detecting Android app privacy leaks. These two approaches are at the cutting edge of mobile privacy research as far as we are aware. More certainly, these two approaches are what is commercially available as tools to Android users today.

Approaches to classify privacy risks from Android apps:

Static analysis of Android apps and APKs based on the SDKs, libraries and OS permissions that are included in the app code or are requested in runtime. For example, this is how Privacygrade.org works, a privacy letter grade for Android apps based on a Comp Sci. Lab research paper at Carnegie Mellon University in USA.

Dynamic analysis of web (HTTP and HTTPS) requests made by apps, and then matching those URLs to known filter lists. This paper from Sophie Antipolis University in France shows how analyzing with which URLs your apps connect in runtime is a powerful way to detect privacy risks.

Learning from both of these approaches, we focussed on making Opera Max a powerful privacy risk analysis and reporting tool, to visualize and create more transparency around app privacy risks.

What is common in both of these approaches, and in Opera Max’s philosophy, is that the biggest privacy threats (not the same as security threats) come from the apps themselves. Open and public Wi-Fi hotspots post privacy risks as well, but the apps that you install on your device misbehave a lot more than you think.

Right now, Opera Max uses only the second “dynamic” approach and actually looks through the requests your apps are sending to the internet to make sure they do not match any of the URL patterns listed on the EasyPrivacy list or advise on the encryption level of an apps request.

Three levels of privacy risk classification in 2.2.X versions of Opera Max

Opera Max uses a three-level risk classification scheme to help people easily understand the technical protocols and possible privacy leak vectors underneath the hood of how their apps communicate with various servers on the internet:

High Risks

Opera Max views any HTTP or HTTPS request to domains that are on the EasyPrivacy list as a “high privacy risk” event. This does not mean that this is a security risk where your credit card data or passwords are at risk, it just means that data is being shared by the app or website with a third party. Opera Max does not know what exactly is being shared, it just knows which app is making a connection to a domain or URL that is known for collecting data.

Medium Risks

Un-encrypted HTTP requests

Opera Max views any cleartext communication over a Wi-Fi or mobile network as a medium privacy risk. We believe that all network connections should be encrypted in order to minimize risk to users’ privacy.

Destination Domain Leaks

Destination domains leak via Domain Name Server LookUps or can be read from unencrypted HTTP headers, and even using HTTPS that leaks the destination through the Server Name Info (SNI) packet. Which domain your apps are connecting to is almost always revealed to Wi-Fi providers. Network admins, such as Wi-Fi providers at coffee shops or hotels, can see which top level domains your apps are connecting to. This data can be used to profile and target you in fairly good detail.

Low Risks

Secure HTTPS connections

Most apps that focus on user privacy also encrypt all of their web requests to go over HTTPS. This is accepted as the de facto secure communication protocol of websites and apps. So, Opera Max classifies HTTPS requests as low risk because there could be a destination domain leak vector on Wi-Fi networks because of the SNI component of the HTTPS protocol.

Privacy mode on while privacy risks are being protected by Opera Max:

This is how Opera Max shows app data usage details and breakdown while privacy mode is on. This video is showing a breakdown of the various types of privacy issues that were protected by Opera Max.

Opera Max’s challenge to Android OEMs, app developers and website developers: do not accept HTTPS as “private enough”. If you are an app developer that utilizes webview components from Android OS to load lots of various domains, or if you are an Android OEM, we recommend that you keep pushing the envelope on increasing the state of user privacy.

We believe that network admins should not be able to see which domains your apps are connecting to by looking at DNS traffic and the SNI component of HTTPS requests.

Most well-implemented VPN apps or services like Opera Max or Opera Mini provide this level of “destination domain leak” protection by showing the network that all traffic is headed to Opera data centers. From there, Opera’s cloud connects to all the origin servers to fetch and proxy all of the info for your apps and websites to load, just a bit more anonymously.

We believe the widespread use of VPNs on Android is on its way to the mainstream.

We hope that you agree with this and keep supporting Opera Max’s privacy mode as we work on making the state of Android privacy management easy to use and available to all.